!Hubzilla Support Forum#HubZilla #fail2ban #twoFactorAuthentication #YunoHost #SSO1. Can we implement two-factor-authentication and fail2ban on HubZilla? Has anyone tried it? 2. YunoHost have the option to keep apps and pages behind SSO. If I keep HubZilla behind SSO , that will completely restrict the HubZilla from outer world. What domains sub-path I need to bypass SSO, so that HubZilla can talk to other hubs and federation, being behind SSO?

FreeOTP is a two-factor authentication application for systems utilizing one-time password protocols. Tokens can be added easily by scanning a QR code. If you need to generate a QR code, try our QR code generator. FreeOTP implements open standards: HOTP and TOTP. This means that no proprietary server-side component is ...

I think FreeOTP would be nice with the help of plugin and to make things more concrete Fail2Ban would be great addition too.

I got a nightmare in which Mr. Zukerberg came and stole my Hubzilla password by making me use some random computer. He said "How can you ignore me ?". Blame all the horrifying gif of him that are being circulated on internet, the main cause of the nightmare.

So if I add my hub behind the protected urls, then only the users who logged to the interface will be able to see the Hub. So if I only add my login(/login) page behind it then only the login page will be restricted by it. But doing this, the remote user will not be able to use the nomadic identity.

I'd second Mike's advice, even if there are paths that can be protected behind ssowat without major problems : /network , /connections , /mail etc.It's really not worth messing with access restrictions outside of hubzilla since it does that just fine already. You can already restrict access to everything for people not authenticated, and even to people not matching your security choices.

I should have explained my problem first rather then taking out my own solutions. I have ldapauth for 6 to 7 web applications (including HubZilla). I have strong password, but now few other users has joined my server. And whether I like it or not,they will have access to all these apps with ldapauth. And anyone can keep a weak password. So I want every app should have either fail2ban or two-way-authentication or behind SSO (as extra layer of security,which have fail2ban already). Two-way-authentication is optional feature in the apps, so that its not a for sure solution. So I have started to apply fail2ban for apps where it can be applied and for other apps I am keeping the login page behind SSO restriction (people have to login 2 times same authentication to get to the app,but the security is better then before).

For HubZilla I can not put the login page behind SSO because it has the remote login on login page. So I am thinking of way to make security more strong for HubZilla.

It's more complicated than that, because one can login to any page. Several page modules (network is one) will display a login box inline if one tries to access them without being authenticated. The actual authentication is trapped at the system level before the router is invoked (which handles specific pages). And as we discovered a couple of days ago, you can apparently login to the chess page and possibly bypass any Hubzilla security mechanisms.

The best ways forward may include one or more of

1. Edit the ldapauth addon or create a new one that traps all local authentication and perhaps redirect to your SSO service.2. Create a 2FA addon and link it to your chosen authentication addon3. In either case a password complexity checker might be useful. 4. Figure out what it would take to bring webauthn to your software(s) and help get rid of the entire username/password infrastructure